From 17d39ceb91866f80d7c06e710acac35f0104ccde Mon Sep 17 00:00:00 2001
From: Thomas Rubini <74205383+ThomasRubini@users.noreply.github.com>
Date: Mon, 27 Mar 2023 16:57:41 +0200
Subject: [PATCH 1/2] add decorator to restrict admin endpoints

---
 truthinquiry/routes/routes_admin.py     |  7 +++++++
 truthinquiry/routes/routes_api_admin.py |  5 +++++
 truthinquiry/utils.py                   | 20 ++++++++++++++++++++
 3 files changed, 32 insertions(+)
 create mode 100644 truthinquiry/utils.py

diff --git a/truthinquiry/routes/routes_admin.py b/truthinquiry/routes/routes_admin.py
index 4a03368..4572278 100644
--- a/truthinquiry/routes/routes_admin.py
+++ b/truthinquiry/routes/routes_admin.py
@@ -3,18 +3,22 @@ from sqlalchemy import select, or_
 
 from truthinquiry.ext.database.models import *
 from truthinquiry.ext.database.fsa import db
+from truthinquiry.utils import require_admin
+
 
 routes_admin = flask.Blueprint("admin", __name__)
 
 DEFAULT_LANG = "FR"
 
 @routes_admin.route("/")
+@require_admin(ui=True)
 def index():
     npcs_objs = db.session.query(Npc).all()
     npcs_dicts = [{"id": npc_obj.NPC_ID, "name": npc_obj.NAME_LOCALE.get_text(DEFAULT_LANG).TEXT} for npc_obj in npcs_objs]
     return flask.render_template("admin/index.html", npcs=npcs_dicts)
 
 @routes_admin.route("/npc/<npc_id>")
+@require_admin(ui=True)
 def npc(npc_id):
     if npc_id == "new":
         return flask.render_template("admin/npc.html", npc={})
@@ -36,6 +40,7 @@ def npc(npc_id):
         return flask.render_template("admin/npc.html", npc=npc_dict)
 
 @routes_admin.route("/questions")
+@require_admin(ui=True)
 def questions():
     lang = DEFAULT_LANG
 
@@ -62,6 +67,7 @@ def questions():
     return flask.render_template("admin/questions.html", questions=data, langs=["FR", "EN"])
 
 @routes_admin.route("/places")
+@require_admin(ui=True)
 def places():
     lang = DEFAULT_LANG
 
@@ -70,6 +76,7 @@ def places():
     return flask.render_template("admin/places.html", places=places_dicts)
 
 @routes_admin.route("/traits")
+@require_admin(ui=True)
 def traits():
     lang = DEFAULT_LANG
 
diff --git a/truthinquiry/routes/routes_api_admin.py b/truthinquiry/routes/routes_api_admin.py
index 3b88cef..1caccbe 100644
--- a/truthinquiry/routes/routes_api_admin.py
+++ b/truthinquiry/routes/routes_api_admin.py
@@ -3,11 +3,13 @@ from sqlalchemy import select, delete, or_
 
 from truthinquiry.ext.database.models import *
 from truthinquiry.ext.database.fsa import db
+from truthinquiry.utils import require_admin
 
 
 routes_api_admin = flask.Blueprint("api_admin", __name__)
 
 @routes_api_admin.route("/setQuestions", methods=["GET", "POST"])
+@require_admin(api=True)
 def set_questions():
     if not flask.request.json:
         return {"error": 1, "msg": "no json set"}
@@ -44,6 +46,7 @@ def set_questions():
     return {"error": 0}
 
 @routes_api_admin.route("/setTraits", methods=["GET", "POST"])
+@require_admin(api=True)
 def set_traits():
     input_lang = flask.request.json["lang"]
     input_traits = flask.request.json["traits"]
@@ -86,6 +89,7 @@ def set_traits():
     return {"error": 0}
 
 @routes_api_admin.route("/setPlaces", methods=["GET", "POST"])
+@require_admin(api=True)
 def set_places():
     input_lang = flask.request.json["lang"]
     input_places = flask.request.json["places"]
@@ -124,6 +128,7 @@ def set_places():
     return {"error": 0}
 
 @routes_api_admin.route("/setNpc", methods=["GET", "POST"])
+@require_admin(api=True)
 def set_npc():
     input_lang = flask.request.json["lang"]
     input_npc = flask.request.json["npc"]
diff --git a/truthinquiry/utils.py b/truthinquiry/utils.py
new file mode 100644
index 0000000..9359137
--- /dev/null
+++ b/truthinquiry/utils.py
@@ -0,0 +1,20 @@
+from functools import wraps
+
+import flask
+
+def require_admin(*args, **kwargs):
+    def decorator(route):
+        @wraps(route)
+        def decorated_function(*route_args, **route_kwargs):
+
+            if flask.session.get("admin"):
+                return route(*route_args, **route_kwargs)
+            elif kwargs.get("api"):
+                return {"error": 1, "msg": "Invalid authentication"}
+            elif kwargs.get("ui"):
+                return flask.redirect("/admin/auth")
+            else:
+                raise ValueError("Can't determine request type")
+            
+        return decorated_function
+    return decorator

From 9433d625f9fbb6d1e140d9ce6c8b56858f3a48dc Mon Sep 17 00:00:00 2001
From: Thomas Rubini <74205383+ThomasRubini@users.noreply.github.com>
Date: Mon, 27 Mar 2023 17:12:23 +0200
Subject: [PATCH 2/2] add admin auth method

---
 .env.dist                               |  1 +
 truthinquiry/routes/routes_admin.py     |  4 ++++
 truthinquiry/routes/routes_api_admin.py | 11 +++++++++++
 truthinquiry/templates/admin/auth.html  |  5 +++++
 4 files changed, 21 insertions(+)
 create mode 100644 truthinquiry/templates/admin/auth.html

diff --git a/.env.dist b/.env.dist
index 32463fa..4320f4d 100644
--- a/.env.dist
+++ b/.env.dist
@@ -9,3 +9,4 @@ DB_PORT=3306
 DB_USER=""
 DB_PASSWORD=""
 DB_DBNAME=""
+ADMIN_PASSWORD="s0meV3ryL0ngP@sswOrd"
\ No newline at end of file
diff --git a/truthinquiry/routes/routes_admin.py b/truthinquiry/routes/routes_admin.py
index 4572278..8b831a7 100644
--- a/truthinquiry/routes/routes_admin.py
+++ b/truthinquiry/routes/routes_admin.py
@@ -17,6 +17,10 @@ def index():
     npcs_dicts = [{"id": npc_obj.NPC_ID, "name": npc_obj.NAME_LOCALE.get_text(DEFAULT_LANG).TEXT} for npc_obj in npcs_objs]
     return flask.render_template("admin/index.html", npcs=npcs_dicts)
 
+@routes_admin.route("/auth")
+def auth():
+    return flask.render_template("admin/auth.html")
+
 @routes_admin.route("/npc/<npc_id>")
 @require_admin(ui=True)
 def npc(npc_id):
diff --git a/truthinquiry/routes/routes_api_admin.py b/truthinquiry/routes/routes_api_admin.py
index 1caccbe..0e6e8ff 100644
--- a/truthinquiry/routes/routes_api_admin.py
+++ b/truthinquiry/routes/routes_api_admin.py
@@ -1,3 +1,5 @@
+import os
+
 import flask
 from sqlalchemy import select, delete, or_
 
@@ -8,6 +10,15 @@ from truthinquiry.utils import require_admin
 
 routes_api_admin = flask.Blueprint("api_admin", __name__)
 
+@routes_api_admin.route("/auth", methods=["GET", "POST"])
+def auth():
+    password = flask.request.values.get("password")
+    if password == os.getenv("ADMIN_PASSWORD"):
+        flask.session["admin"] = True
+        return flask.redirect("/admin")
+    else:
+        return flask.redirect("/admin/auth?failed=1")
+
 @routes_api_admin.route("/setQuestions", methods=["GET", "POST"])
 @require_admin(api=True)
 def set_questions():
diff --git a/truthinquiry/templates/admin/auth.html b/truthinquiry/templates/admin/auth.html
new file mode 100644
index 0000000..122bfa8
--- /dev/null
+++ b/truthinquiry/templates/admin/auth.html
@@ -0,0 +1,5 @@
+<form action="/api/v1/admin/auth" method="POST">
+    <p>Password :</p>
+    <input name="password">
+    <input type="submit" value="Submit">
+</form>
\ No newline at end of file